CIS publishes hardening guidance for Red Hat OpenShift Virtualization

Source: Red Hat Blog

The Center for Internet Security® (CIS®) has officially published guidance for hardening Red Hat OpenShift Virtualization.

The official publication of the new CIS Benchmark® for Red Hat OpenShift Virtualization is an important development for organizations running traditional virtual machines (VMs) alongside modern containers. OpenShift Virtualization is a feature of Red Hat OpenShift that allows existing VM‑based workloads to run directly on the platform. This globally recognized, consensus‑driven benchmark provides recommendations for creating a security‑focused configuration for those environments.

Who is CIS and what is a CIS Benchmark?

CIS is a community‑driven nonprofit organization, which aims to “make the connected world a safer place” for businesses, governments, and people by developing and promoting best‑practice solutions.

The CIS Benchmarks are one of those core solutions. They are a set of globally recognized best practices to help secure operating systems (OSs), servers, and other technology. Developed and maintained by a global community of IT professionals, the CIS Benchmarks provide prescriptive instructions for creating a security‑focused configuration baseline. The new CIS Benchmark for OpenShift Virtualization was developed based on the OpenShift Virtualization Hardening Guide.

Key security optimizations

The CIS Benchmark provides detailed recommendations to strengthen your security posture by focusing on four key areas of optimization:

• Harden the platform from the ground up – guidance on restricting GPU and USB pass‑through to approved devices and disabling non‑essential feature gates.
• Control workloads at every layer – fine‑grained controls such as restricting exec and virtual network computing (VNC) access to approved administrators and disabling features like guest‑memory overcommit.
• Segment and protect network traffic – use networking controls like Virtual Local Area Networks (VLANs) to isolate tenant or application traffic and apply Media Access Control (MAC) spoof filtering.
• Safeguard data integrity in storage – extend security policies into the storage plane, with recommendations to restrict data volume cloning across namespaces and disable unnecessary shareable disks.

How to implement

Implementing this benchmark is less about complex reconfiguration and more about simple verification. Because OpenShift Virtualization is engineered to have maximum security controls in place out‑of‑the‑box, you likely already have the majority of these protections. The benchmark acts as prescriptive guidance to help you audit your environment. To get started, cross‑reference your current setup against the OpenShift Virtualization Hardening Guide to ensure standard safety settings haven’t been altered.

Get the CIS Benchmark

By implementing the CIS Benchmark for OpenShift Virtualization, your organization can enforce consistent security capabilities across workloads on your hybrid cloud platform, protecting both containerized and virtualized applications.

To see the full list of recommendations and download the CIS Benchmark, visit the official CIS Benchmarks page.